SharpSpring, like most major email service providers (ESPs), provides custom DKIM configuration using CNAME records.
Why do major ESPs use CNAME for DKIM?
The benefits of CNAME records are two-fold:
- Simplicity - CNAME delegates authority for handling DKIM keys to SharpSpring, so that customers never have to manage the complexity of generating public / private key pairs, sending us a private key for signing, and then properly adding DKIM TXT records to DNS themselves
- Security - SharpSpring follows DKIM security best practices and periodically rotates keys. With CNAME records, a customer can set DKIM records just once in their DNS, but benefit from the the periodic key rotation that we manage on our end.
What about the Underscore?
Not all DNS providers allow underscore characters in the Name field of CNAME records, such as the one necessary for the lookup of [selector]._domainkey.[example.com]. This is against specifications, but we still see it occasionally, even from a handful of widely used services.
What's the solution?
We recommend either of these three options: (1) contact your current DNS provider for assistance, (2) host a secondary email sending domain with a registrar that allows CNAME records with underscores, or (3) switch DNS providers entirely.
- Contact your current DNS provider for assistance: While some DNS providers don’t directly allow users to create CNAME records within their UI, some customers have been able to successfully escalate a request to their DNS provider for adding CNAME records containing underscores.
- Secondary email sending domain: After confirming that your current DNS provider truly doesn’t support CNAME records with underscores, you may decide to create a secondary email sending domain, and then have another DNS provider host those records. A number of well known, dedicated DNS providers support CNAME records with underscore, and have free tiers, e.g. Namecheap, EasyDNS, Cloudflare, Hurricane Electric Free DNS, FreeDNS, and others.
- Switch DNS providers: If your current DNS provider does not support CNAME records with underscores, and you prefer not creating a secondary secondary email sending domain, you will need to migrate to another DNS provider entirely to have your current domain authenticated with DKIM. The DNS providers above are several potential options who support CNAME records with underscores. With this option, you will contact your registrar and change your nameserver to the new DNS service, and then proceed to create new DKIM records at the new DNS service.